Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for CERT-UA Warns of Esc ...

 Firewall Daily

The Government Computer Emergency Response Team (CERT-UA) issued an important warning about a series of targeted cyberattacks aimed at employees within Ukraine's defense-industrial complex and members of the Armed Forces. These attacks have been tracked under the identifier UAC-0200, marking a concerning   show more ...

escalation in espionage activities leveraging the DarkCrystal RAT (DCRAT). According to CERT-UA, the attacks, which have been ongoing since at least the summer of 2024, employ sophisticated tactics to gain unauthorized access to sensitive information. One of the primary techniques identified involves the use of the Signal messaging app, where malicious actors have been spreading messages disguised as meeting reports.  Also Read: UAC-0173 Resumes Cyberattacks Against Ukrainian Notary Offices Using DARKCRYSTALRAT Malware These deceptive messages often contain compressed archive files, which include a PDF document and an executable file, classified as DarkTortilla. The DarkTortilla file serves as a cryptor/loader designed to decrypt and launch the DarkCrystal RAT (DCRAT) on the infected system. How the DarkCrystal RAT Works DarkCrystal RAT (DCRAT) is a powerful remote access tool that allows cybercriminals to control infected systems from a distance. Once installed, it grants the attackers complete control over the victim's device, enabling them to exfiltrate sensitive information, manipulate data, and even deploy additional malicious payloads. The use of DarkTortilla as a loader is particularly concerning as it hides the malicious intent behind a seemingly innocuous file, making it more difficult for users to detect.  The CERT-UA team further emphasized that starting in February 2025, the focus of these attacks shifted toward topics related to unmanned aerial vehicles (UAVs) and electronic warfare systems. This shift suggests that the attackers are now targeting more specific defense technologies, likely to gather intelligence on Ukraine’s military capabilities. Leveraging Social Engineering Tactics for Cyberattacks  One of the key features of these cyberattacks is the use of social engineering techniques to manipulate victims into opening malicious attachments. The use of Signal, a popular messaging platform, broadens the attack surface, providing cybercriminals with a relatively unregulated channel through which to spread their payloads. Messages often appear to come from trusted sources, such as colleagues or business partners, whose accounts have already been compromised. This method of attack makes it harder for traditional security systems to detect and block malicious activity, as the attackers exploit legitimate communication channels to deliver their payloads. CERT-UA’s Ongoing Monitoring and Response  The CERT-UA team has been closely monitoring these threats, and they urge all individuals working in the defense sector to remain vigilant. In the event of receiving suspicious messages or files, CERT-UA encourages immediate reporting to the authorities through all available means.  As part of its ongoing efforts, CERT-UA has released a list of indicators of compromise (IOCs) to help organizations identify and respond to the threat. These IOCs include specific file hashes and network addresses associated with the attack.   The listed files include archive files such as “Звіт 10.03.25.rar” and “Наказ 17.02.2025.pdf,” which contain the malicious executables linked to the DarkCrystal RAT.  The identified network addresses linked to the attacks include:  45[.]130.214.237  62[.]60.235.190  87[.]249.50.64  217[.]25.91.61  83[.]147.253.138  Additionally, there are several URLs associated with the compromised network infrastructure, which are used to facilitate the attack and maintain communication between the infected systems and the attackers' servers.  The UAC-0200 attack campaign highlights the growing cybersecurity risks faced by Ukraine's defense sector. The use of sophisticated malware like DarkCrystal RAT (DCRAT) highlights the need for stronger security, especially against social engineering tactics that exploit communication tools such as Signal. As cybercriminals become more advanced, constant vigilance and proactive cybersecurity measures are essential.  CERT-UA’s ongoing monitoring plays a crucial role in managing these threats, but individuals must also stay alert and report suspicious activity. With cyberattacks becoming more advanced, it’s vital for both government and private sectors to collaborate in strengthening defenses to protect Ukraine’s defense infrastructure and national security. 

image for Fog ransomware publi ...

 Business

We closely monitor changes in the tactics of various cybercriminal groups. Recently, experts from Kasperskys Global Research and Analysis Team (GReAT) noted that, after attacks with Fog ransomware, malefactors were publishing not only victims data, but also the IP addresses of the attacked computers. We havent seen   show more ...

this tactic used by ransomware groups before. In this post, we explain why its important and what the purpose of this tactic is. Who is the Fog ransomware group, and whats it known for? Since the ransomware business began to turn into a full-fledged industry, the involved cybercriminals have been splitting themselves up into various specializations. Nowadays, the creators of the ransomware and the people directly behind the attacks are most often not connected in any way — the former develop the malware along with a platform for attacks and subsequent blackmailing, while the latter simply buy access to the code and infrastructure under the ransomware-as-a-service (RaaS) model. Fog ransomware is one such platform — first noticed in early 2024. The malware is used to attack computers running either Windows or Linux. As is customary among ransomware operators in recent years, the affected data is not only encrypted, but also uploaded to the attackers servers, and then, if the victim refuses to pay, published on a TOR site. Attacks using Fog were carried out against companies working in the fields of education, finance, and recreation. Often, criminals used previously leaked VPN access credentials to penetrate the victims infrastructure. Why they are publishing IP addresses? Our experts believe that the main purpose of publishing IP addresses is to increase the psychological pressure on victims. Firstly, it increases the traceability and visibility of an incident. The effect of publishing the name of a victim company is less impressive, while the IP address can quickly tell not only who the victim was — but also what exactly was attacked (whether it was a server or a computer in the infrastructure). And the more visible the incident, the more likely it is to face lawsuits over data leakage and fines from regulators. Therefore, its more likely that the victim will make a deal and pay the ransom. In addition, publishing an IP address sends a signal to other criminal groups, which can use the leaked data. They become aware of the address of a knowingly vulnerable machine, and have access to the information downloaded from it, which can be studied and used for further attacks on the infrastructure of the same company. This, in turn, makes the consequences of publication even more unpleasant, and therefore becomes an additional deterrent to ignoring the blackmailers demands. How to stay safe Since most ransomware attacks still start with employee error, we first recommend periodically raising staff awareness about modern-day cyberthreats (for example, using the online training platform.) In order not to lose access to critical data, we, as usual, recommend making backups and keeping them in storage isolated from the main network. To prevent the ransomware from running on the companys computers, its necessary that each corporate device with access to the network be equipped with an effective security solution. We also recommend that large companies monitor activity in the infrastructure using an XDR class solution, and, if necessary, involve third-party experts in detection and response activities.

image for Arrests in Tap-to-Pa ...

 A Little Sunshine

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams,   show more ...

and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China. Image: WLVT-8. Authorities in Knoxville, Tennessee last week said they arrested 11 Chinese nationals accused of buying tens of thousands of dollars worth of gift cards at local retailers with mobile wallets created through online phishing scams. The Knox County Sheriff’s office said the arrests are considered the first in the nation for a new type of tap-to-pay fraud. Responding to questions about what makes this scheme so remarkable, Knox County said that while it appears the fraudsters are simply buying gift cards, in fact they are using multiple transactions to purchase various gift cards and are plying their scam from state to state. “These offenders have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds,” Knox County Chief Deputy Bernie Lyon wrote. “During Monday’s operation, we recovered gift cards valued at over $23,000, all bought with unsuspecting victims’ information.” Asked for specifics about the mobile devices seized from the suspects, Lyon said “tap-to-pay fraud involves a group utilizing Android phones to conduct Apple Pay transactions utilizing stolen or compromised credit/debit card information,” [emphasis added]. Lyon declined to offer additional specifics about the mechanics of the scam, citing an ongoing investigation. Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said there aren’t many valid use cases for Android phones to transmit Apple Pay transactions. That is, he said, unless they are running a custom Android app that KrebsOnSecurity wrote about last month as a part of a deep dive into the sprawling operations of China-based phishing cartels that are breathing new life into the payment card fraud industry (a.k.a. “carding”). How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones? It all starts with phishing. If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee. These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones. People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet. If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. These phones are then loaded with multiple stolen wallets (often between 5-10 per device) and sold in bulk to scammers on Telegram. An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 5-7 digital wallets from different financial institutions. Merrill found that at least one of the Chinese phishing groups sells an Android app called “Z-NFC” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China. “I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee. Merrill said the Z-NFC software can work from anywhere in the world, and that one phishing gang offers the software for $500 a month. “It can relay both NFC enabled tap-to-pay as well as any digital wallet,” Merrill said. “They even have 24-hour support.” On March 16, the ABC affiliate in Sacramento (ABC10), Calif. aired a segment about two Chinese nationals who were arrested after using an app to run stolen credit cards at a local Target store. The news story quoted investigators saying the men were trying to buy gift cards using a mobile app that cycled through more than 80 stolen payment cards. ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards. After their arrests, both men reportedly admitted that they were being paid $250 a day to conduct the fraudulent transactions. Merrill said it’s not unusual for fraud groups to advertise this kind of work on social media networks, including TikTok. A CBS News story on the Sacramento arrests said one of the suspects tried to use 42 separate bank cards, but that 32 were declined. Even so, the man still was reportedly able to spend $855 in the transactions. Likewise, the suspect’s alleged accomplice tried 48 transactions on separate cards, finding success 11 times and spending $633, CBS reported. “It’s interesting that so many of the cards were declined,” Merrill said. “One reason this might be is that banks are getting better at detecting this type of fraud. The other could be that the cards were already used and so they were already flagged for fraud even before these guys had a chance to use them. So there could be some element of just sending these guys out to stores to see if it works, and if not they’re on their own.” Merrill’s investigation into the Telegram sales channels for these China-based phishing gangs shows their phishing sites are actively manned by fraudsters who sit in front of giant racks of Apple and Google phones that are used to send the spam and respond to replies in real time. In other words, the phishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire. For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets. The ashtray says: You’ve been phishing all night.

image for Why Cyber Quality Is ...

 Feed

The time to secure foundations, empower teams, and make cyber resilience the standard is now — because the cost of waiting is far greater than the investment in proactive security.

 Feed

Two now-patched security flaws impacting Cisco Smart Licensing Utility are seeing active exploitation attempts, according to SANS Internet Storm Center. The two critical-rated vulnerabilities in question are listed below -  CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an

 Feed

Threat hunters have uncovered a new threat actor named UAT-5918 that has been attacking critical infrastructure entities in Taiwan since at least 2023. "UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim

 Feed

The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools. Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS

 Feed

After conducting over 10,000 automated internal network penetration tests last year, vPenTest has uncovered a troubling reality that many businesses still have critical security gaps that attackers can easily exploit. Organizations often assume that firewalls, endpoint protection, and SIEMs are enough to keep them secure. But how effective are these defenses when put to the test? That’s where

 Feed

The China-linked advanced persistent threat (APT) group. known as Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting seven organizations. These entities include governments, catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place

 Feed

Two known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal. "Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents," the company said. "This suggests

 0CISO2CISO

Source: hackread.com – Author: Deeba Ahmed. Credential theft alert! Venak Security discovers a BYOVD attack using .SYS drivers to bypass Windows security. Learn how this attack steals user data and gains control. A recent investigation by Venak Security uncovered an attack scenario that leverages a   show more ...

vulnerability within a kernel-level driver associated with Checkpoint’s ZoneAlarm antivirus […] La entrada Checkpoint ZoneAlarm Driver Flaw Exposes Users to Credential Theft – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 1 - Cyber Security News Post

Source: hackread.com – Author: Deeba Ahmed. ServiceNow vulnerability alert: Hackers are actively exploiting year-old flaws (CVE-2024-4879, CVE-2024-5217, CVE-2024-5178) for database access. Learn how to protect your systems. Security researchers at threat intelligence firm GreyNoise have issued a warning   show more ...

regarding a significant increase in malicious activity targeting three previously disclosed vulnerabilities within ServiceNow- a cloud-based platform […] La entrada New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 backdoor

Source: securityaffairs.com – Author: Pierluigi Paganini Symantec researchers linked a custom backdoor, called Betruger, found in recent ransomware attacks to an affiliate of the RansomHub operation. Symantec’s Threat Hunter team has identified a custom backdoor, named Betruger, linked to a RansomHub   show more ...

affiliate. Designed for ransomware attacks, Betruger combines multiple functions into a single tool to […] La entrada RansomHub affiliate uses custom backdoor Betruger – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breaking News

Source: securityaffairs.com – Author: Pierluigi Paganini Experts warn of the active exploitation of two recently patched security vulnerabilities affecting Cisco Smart Licensing Utility. Cisco disclosed two vulnerabilities in its Smart Licensing Utility: CVE-2024-20439, a static credential backdoor, and   show more ...

CVE-2024-20440, an information disclosure flaw. Attackers can exploit the backdoor to access sensitive log files. While no […] La entrada Cisco Smart Licensing Utility flaws actively exploited in the wild – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breaking News

Source: securityaffairs.com – Author: Pierluigi Paganini A data breach at the Pennsylvania State Education Association exposed the personal information of over 500,000 individuals. The Pennsylvania State Education Association (PSEA) suffered a data breach that impacted 517,487 individuals. PSEA is a labor union   show more ...

representing teachers, education support professionals, and other school employees in Pennsylvania. It advocates […] La entrada Pennsylvania State Education Association data breach impacts 500,000 individuals – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 'Virus'

Source: securelist.com – Author: Kaspersky ICS CERT Statistics across all threats In Q4 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.1 pp from the previous quarter to 21.9%. Percentage of ICS computers on which malicious objects were blocked, by quarter,   show more ...

2022–2024 Compared to Q4 2023, the percentage decreased […] La entrada Threat landscape for industrial automation systems in Q4 2024 – Source: securelist.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 cyber

Source: www.darkreading.com – Author: António Vasconcelos Please enable cookies. Sorry, you have been blocked You are unable to access darkreading.com Why have I been blocked? This website is using a security service to protect itself from online attacks. The action you just performed triggered the security   show more ...

solution. There are several actions that could trigger this […] La entrada Why Cyber Quality Is the Key to Security – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: Arielle Waldman Please enable cookies. Sorry, you have been blocked You are unable to access darkreading.com Why have I been blocked? This website is using a security service to protect itself from online attacks. The action you just performed triggered the security   show more ...

solution. There are several actions that could trigger this […] La entrada University Competition Focuses on Solving Generative AI Challenges – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Albabat

Source: www.infosecurity-magazine.com – Author: New versions of the Albabat ransomware have been developed, enabling threat actors to target multiple operating systems (OS) and improve the efficiency of attacks. Trend Micro researchers said ransomware version 2.0 targets not only Microsoft Windows but also   show more ...

gathers system and hardware information on Linux and macOS. Read now: Eldorado Ransomware […] La entrada Albabat Ransomware Evolves to Target Linux and macOS – Source: www.infosecurity-magazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.infosecurity-magazine.com – Author: A component of CheckPoint’s ZoneAlarm antivirus software is being exploited by threat actors in malicious campaigns to bypass Windows security measures. Nima Bagheri, an Austin-based security researcher and founder of Venak Security, shared details of a new   show more ...

Bring Your Own Vulnerable Driver (BYOVD) attack in a March 20 report. In this […] La entrada Cybercriminals Exploit CheckPoint Antivirus Driver in Malicious Campaign – Source: www.infosecurity-magazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2025-03
Aggregator history
Friday, March 21
SAT
SUN
MON
TUE
WED
THU
FRI
MarchAprilMay